21st > February > 2003 Archive

Pipex and Eclipse win top Internet ‘Oscars’

Pipex and Eclipse have scooped the top awards at this year's "Internet Oscars" held in London last night. Pipex won "Best Consumer Broadband Provider" by offering a "good access level price for consumers requiring an all in one package to access the Internet with a high-speed connection". Eclipse walked away with the "Best Business Broadband Provider" for its "commitment to research and development and customer service" and its "commitment to offering important value added services, such as virtual private network solutions". Freeserve topped the list in the "Best Unmetered ISP" category for continuing to give consumers "value-for-money access and services, good customer support and the flexibility of not being tied into a contract". And the "Best National Consumer ISP" went to One.Tel, while Claranet won the "Best National Business ISP". Richard Allan, MP, was awarded the "Internet Hero" gong for his ongoing support and understanding of the Internet and the Internet industry. And the title of "Internet Villain" went to the Home Office for its Anti-Terrorism, Crime and Security (ATCS) Act and continued delays associated with the Regulation of Investigatory Powers Act (RIPA). Which is nice. ® Related Story NTL demo targets UK Net Oscars ISPA posts shortlists for Internet industry awards RIAA nominated for Internet Villain award
Tim Richardson, 21 Feb 2003

Unions fight call centre crossed legs

Britain's bosses are being pressed to treat their staff with respect and allow them sufficient time to take pee breaks. Launching a campaign today the TUC highlights a legal loophole which says that employers have got to provide lavatories for their staff, but don't have to let them go when they want. Call centres - where there is great pressure to respond to customer enquiries - have been singled out as one area where this problem can be particularly acute. Some employers time exactly how long workers are away from their workstations - information that can be used at a later date during work-related assessments. Others insist that employees have to put up their hands and get permission when they want to visit the lavvy. TUC General Secretary Elect Brendan Barber said: "It's incredible to think that in the twenty first century, workers are still being penalised for going to the loo. "Employers clinging to Dickensian bathroom break policies should understand that if they trusted and respected their staff, and treated them as adults, not naughty children, they would end up with a healthier, better motivated, more productive workforce," he said. ®
Tim Richardson, 21 Feb 2003

Crypto attack against SSL outlined

Swiss security researchers have discovered an attack against implementations of the ubiquitous SSL protocol that could potentially compromise email passwords, though not ecommerce transactions. The protocol itself has not been compromised and the weakness only applies to versions of OpenSSL prior to version 0.9.6i and 0.9.7a, according to early analysis. Users of earlier versions of OpenSSL are strongly advised to upgrade. At this point its unclear whether alternative implementations of SSL are at risk. Credit card transaction secured using even earlier versions of OpenSSL are not at risk because of the mechanism of the attack. Secure Sockets Layer (SSL), which is supported by all major Web browsers, is one of the most common security protocols in use on the Net. SSL, and its successor Transport Layer Security (TLS), manage the security of message transmission: which can be anything from the details of credit cards made during a ecommerce transactions to an Outlook client logging onto an email server. In a paper researchers at the Security and Cryptography Laboratory of Swiss University (Lasec) EPFL demonstrate a timing-based attack on CBC cipher suites in SSL and TLS. The attack assumes that multiple SSL or TLS connections involve a common fixed plaintext block, such as a password. Since credit cards numbers are normally sent to a secure server only once this particular attack has little or no chance of success. When checking emails, using for example an Outlook Express 6.x client, using a secure connection passwords are sent periodically as email is checked. This leaves the door open for an attack. The researchers at Lasec have demonstrated a form a man in the middle attack (using DNS spoofing) can be used to discover email passwords. Essentially an attacker would substitute specifically made-up cipher text blocks in a legitimate communication and monitor the error messages an email server generates. In this way, through cryptanalysis of the error messages, it is possible to glean clues on the make up of a legitimate password. Dictionary or brute force attacks may be used, as explained in greater detail in the researcher's paper. The flaw with earlier versions of OpenSSL lies in the way error messages are constructed, a problem that doesn't apply to OpenSSL versions 0.9.6i and 0.9.7a. This point is explained by the OpenSSL project in much greater depth in an advisory published earlier this week. ® External Links Password Interception in a SSL/TLS Channel, paper by security researchers at Lasec OpenSSL Security Advisory [19 February]: Timing-based attacks on SSL/TLS with CBC encryption Related Stories Admins slow to tackle SSL security risks Slapper worm spanks Apache servers Sun Crypto curves into open source project
John Leyden, 21 Feb 2003

Selling homeland security – how it works

What did you make up in the war on terror, daddy? The Register's recent discovery of the 'approved news' panel on the front page of the US Customs site is already paying dividends. Today, we have an item headed 'On the front lines of Homeland Security' from NPR. Within this piece, you'll note news of "perhaps the biggest arrest in the ongoing war on terrorism," that of Ahmed Ressam in Port Angeles, Washington. A swift Google on said bomb-toting Algerian leads you to the Royal Canadian Mounted Police records on the case, which commence: "Chronology of Ahmed Ressam Investigation Montreal, December 18, 1999 Following the arrest of Ahmed Ressam by U.S. Customs in Port Angeles, Washington on Tuesday December 14th..." December 14th 1999? Ongoing war against terrorism? Ah yes... ®
John Lettice, 21 Feb 2003

How to get an ATM PIN in 15 guesses

Cambridge researchers have documented a worrying PIN cracking technique against the hardware security modules commonly used by bank ATMs. Mike Bond and Piotr Zielinski have published a paper detailing how a complex mathematical attack can yield a PIN in an average of 15 guesses. By design, it shouldn't be possible to guess a four-digit pin in less than an average of 5,000 attempts. The attack, documented in a paper published earlier this week, is directed against the decimalisation tables used to translate between a card PIN and the hexadecimal value of a PIN generated when the hardware security module checks the validity of a number. The attack works not by going after the PIN number directly but by manipulating the contents of the decimalisation table in order to gain clues (such as which digits are or are not present in the PIN). Refining the technique, which allows a PIN to determined in an average of 24 iterations, might allow an attack to succeed in 15 guesses. The methodology of the attack, too mathematically complex to be properly explained in the context of a news story, is explained here. Mike Bond told us that the risk of attack comes from a corrupt insider, perhaps in computer operations and with access to sensitive manuals, who might be able to use the attack to refine what would otherwise be a brute force attempt to guess PIN numbers. Fraud, in these circumstances, might still be possible. The attack is simply a more powerful, optimised means of cracking PIN numbers. In their paper, Bond and Zielinski outline mechanisms banks might apply to guard against the attack. In the short term, according to Bond, probably the best way to guard against the attack is to make sure it isn't possible to change the decimalisation table without permission. Longer term the researchers warn in their conclusions that "support for decimalisation is not a robust approach to PIN verification". "Unskewed randomly generated PINs stored encrypted on an online database, as already used by some banks, are significantly more secure," Bond and Zielinski conclude. As a stop gap an audit trail in ATM hardware security module will also allow the banks to spot when something suspicious occurs. This would allow banks to finger corrupt insider but it wouldn't necessarily protect customers, due to ongoing confusion in the UK's liability regulations for bank transactions. Bond explained that UK case law does not as yet determine where liability lies in the case of disputed PIN-authorised transactions. With credit card purchases liability lies with merchants but in the question of liability has yet to be determined. The wider consequences of the attack method documented by the Cambridge researchers once again spotlight this gap in UK law. ® External Links Decimalisation table attacks for PIN cracking, by Mike Bond and Piotr Zielinski of Cambridge University
John Leyden, 21 Feb 2003

Spam is ‘public enemy number one’, says AOL

AOL is kicking butt in a bid to clamp down on spam. Writing to some 27m of its customers in the US the Internet giant explained the steps it was taking to stamp out unsolicited commercial email. It reported that its proprietary anti-spam filtering technology is blocking up to 780m pieces of junk mail a day - an average of 22 blocked spams per account per day. And it warned spammers it would not rest in its fight to stamp out spam. Said Jon Miller, Chairman & CEO of AOL: "I am as fed up with it [spam] as all of our members are. "As a member, and as a parent, I too have become outraged by the tide of spam that's drowning the legitimate email I want to get. "We've declared spam to be public enemy number one on our service. To that end, AOL is rededicating itself on a number of fronts to reducing the number of spam e-mails our members get, and to finding more aggressive and innovative ways to stop spammers in their tracks," he said. Last year AOL has won $7m in damages after it claimed its punters had been bombarded with porn spam. The giant Internet company used the court ruling to warn spammers that it will use the full force of the law to hit at anyone who targets its punters with unsolicited email. ® Related Story AOL wins $7m in porn spam case
Tim Richardson, 21 Feb 2003

The London charge zone, the DP Act, and MS .NET

Data Protection Act breaches by London's traffic congestion charge system may be numerous and varied, even if you exclude all of the ones that are committed if Mayor Ken's security ring of steel exists. And a report by one of the many (we presume) journalists who've infiltrated the system suggests a) that it doesn't work to anything like the extent claimed; b) that conduct and training of camera operators is inadeqate and in breach of CCTV legislation; and c) that the whole shooting match will fall over if too many recipients of penalty charges contest them. Oh, and while we're about it we might mention that it's one of the largest Microsoft .NET project so far; but we'll get back to that. On the subject of the congestion charge the London Evening Standard has, we accept, been coming on like some crazed petrolhead's implementation of Der Sturmer, but yesterday's report, detailing the experiences of a worker in one of the charge zone's mobile camera units, seems well-grounded. The vehicles housing the mobile cameras, which are intended as backup for the fixed cameras, are claimed to be unreliable, number recognition is ineffective, and the visual checks intended to deal with recognition failure are not being carried out. A BBC Radio reporter broadcast from one of the zone's control rooms earlier this week, counting up in excess of 30 correct identifications before the first failure, but for the mobile units the Standard claims a failure rate of around 40 per cent. Note that this doesn't automatically translate into an overall failure rate of 40 per cent, because the mobile unit cameras have to be hand-sighted, while the fixed ones should already be trained on the right area. However, poor light, dirt and personalised plates should have a similar effect in both cases. Says the Standard: "In dim light it fails to read three out of five registration plates. Muddy ones are almost always misread. It takes almost an hour of tinkering before the stubborn system works." We should mention that if the charge zone system is acting as a CCTV system then that BBC reporter probably should not have been in the control room. The staff of the mobile unit certainly show no signs of having been briefed on CCTV good practice: "I've just seen David Dimbleby drive past on the camera," says one of the workers. Which would seem to us to be a clear invasion of the good Dimblebore's privacy, and a source of some trouble for Transport for London if he features in the video archive. Pay your tenner and find out, David. Failures of the automatic system are intended to be checked visually. It's not clear if, in the case of the mobile units, the local visual check was the only one, but if it was then many errors will not have been picked up; the Standard reports the crew as watching videos and playing computer games instead. The presence of unauthorised VCR tapes or equipment is incidentally also a CCTV breach. Staff in the control rooms for the fixed cameras clearly will not be allowed to watch LOTR II instead of working, but if the system there is also relying on visual checks in real time, then a likely weak spot of the system emerges. Penalty notices sent out under the system do not as a matter of course include the "capture" picture of the offending vehicle. This can be obtained on request if you send £10, and we feel sure it could also be obtained for free if you make them take you to court. However, if plate readings of non-paying vehicles were being automatically matched up with the correct piece of archive video, then it would be easy for TfL's agents to send out the picture with the penalty notice. They're not doing this, QED the archive isn't being matched up, and TfL probably won't know if a snap exists or is usable until it's requested, or needed for a court case. As regards Data Protection Act compliance, quite a lot - although not all - hinges on whether or not you class the system as CCTV, and on whether it can be deemed to be identifying individuals. TfL has however already put its hands up to one blooper - making it mandatory to fill in your phone number, while not telling people it wants the numbers for a customer satisfaction survey. We are told the number is now no longer mandatory, and that TfL proposes to change the layout in accordance with this in due course. But it still intends to use the numbers it's got, which sounds to us like promising to commit a second offence in the act of owning up to the first. One Data Protection compliance consultant who contacted The Register said that it was clear to him that the congestion zone is a CCTV system, and noted that it is not correctly signposted as such. "Without the correct signage the congestion charging cameras are a covert system, and can only be used for a temporary period in response to a specific pre-identified criminal activity... and footage of other criminal activities caught on a covert system is extremely unlikely to be admissable in court. Hence the use of the cameras for activities other than congestion charge administration is certainly unlawful." Another data protection professional says that if TfL's Data Protection registration is wrong (which it is if it's being used for security, CCTV or casually observing the movements of David Dimbleby), then the local authority "could well be acting "ultra vires.'" And he adds that requests under the Act for personal data held need not be particularly specific. "All they need say is they were travelling in a green Mondeo ABC123D between 9 and 10am on such and such a date at location X." As there are cameras throughout the zone, some of them mobile, checking all footage for possible pictures could be a massive task, even if only a few requests were made, never mind 10,000. TfL would likely argue that the footage didn't qualify because it didn't personally identify anyone, but that argument may not be sustainable (see Dimbleby, above). Export of personal data outside of the EU may also be an issue, and this is where we finally get to Microsoft .NET, by way of Mumbai. Charge zone contractor Capita is not exactly overburdened with successful case study reports, and its sub-contractors also seem somewhat shy and retiring. However Mumbai, India-based Mastek allows itself a small boast about using .NET to implement the charge zone scheme for Capita. "This will be one of the largest projects to be developed under the Microsoft DotNet [sic] platform and will be executed over a period of 16-18 months," says its 2002 annual report. And here, you will see that "Capita is... the largest client for Mastek in the UK." The annual report also describes Capita as "our business partner" and mentions another project, a 'frequent flyer for schools' project called Connexions. Capita meanwhile says nice things about Mastek here, but it is unclear which of Capita's many UK success stories were contributed to by Mastek and .NET. There will undoubtedly be other non-EU contractors (NB, Mastek does have a London office) covered by TfL's catch-all "worldwide" Data Protection register entry for personal data distribution. In the case of US companies, these should be registered under the US-EU "Safe Harbour" scheme, whilst it is illegal under EU law to export data to companies outside of the EU or of the Safe Harbour scheme, where local data protection legislation does not match EU standards. As we don't know who the companies are, then TfL's compliance here can't yet be assessed. However, if the scheme turns out to be exporting personal data which TfL has wrongly categorised as not being personal data, then contractors' data protection status might suddenly become more relevant than TfL had anticipated. We're also led to believe that TfL's record on CCTV data compliance in general might have be somewhat inglorious. But perhaps more of that another day. ®
John Lettice, 21 Feb 2003

Poker.com Inc continues fight over ‘hijacked’ URL

UpdateUpdate Poker.com Inc is continuing to pursue "all legal avenues" in a bid to regain control of the domain www.poker.com. In December, the Canada-based company claimed it had been the victim of a "form of technological piracy" after it alleged that the poker.com domain was "hijacked and re-directed without the consent or knowledge of the company". In a new statement Poker.com Inc. (and not Poker.com as we wrote in a previous version of this article. That's the other side. Apologies for any confusion created by our own confusion) said that a recent ICANN ruling refused to acknowledge that Communication Services Inc (the current registrant of the domain) were using the URL illegally and have suggested that action was more appropriate to be commenced against ALA Corp (the previous registrant of the domain). Actually, the arbitrator went a great deal further than that, noting that it "is difficult to see how Complainant UniNet (an affiliate of Poker.com Inc which teamed up in the ICANN arbitration) has or ever had any interest in the trademarks at issue". Following the ruling, Judith Silver, a trademark lawyer acting on behalf of Communication Services Inc., accused Poker.com Inc and Uninet of attempting to "litigate a contract dispute with a party other than the domain registrant using the ICANN system." Now for a quote from Malcolm Nickerson, director of Communications Services Inc. "This entire matter stems from a dispute between UniNet Inc. and Ala Corporation and has nothing whatsoever to do with Communications Services Inc. In my opinion, this complaint was an unwarranted abuse of the ICANN system". According to Nickerson, the dispute between UniNet Inc. and Ala Corporation stems from an "allegation by UniNet Technologies that it has valid right to use the domain name www.poker.com arising from an alleged license agreement with Ala Corporation". Got that? You can read the ruling, CPR Case 00301, in full at CPR Institute for Dispute Resolution . ® Related Story Hijacked? Fight over Poker.com URL
Tim Richardson, 21 Feb 2003

IBM launches powerful AIX/Linux entry-level server

IBM today launched what it touts as the world's most powerful entry-level Web server. The 4-way eServer pSeries 630, which features IBM's latest Power4+ processor, has far greater horsepower under the bonnet than competitive servers, IBM boasts. In a benchmark on secure Web serving performance, a 4-way 1.45 GHhz p630 set a record for entry-level (4-way) systems, supporting 1,988 simultaneous connections. Using the same SPECweb99_SSL performance measure, a 4-way Sun Fire V480 supporting only 568 simultaneous connections. The 4-way 1.45 GHhz p630 set an additional 4-way Web serving record when the system processed 6,895 simultaneous connections, or more than 50 per cent more performance than a 4-way Sun Fire V480 (4,500 simultaneous connections). These SPECweb99 results can be found here. In a measure of file serving performance a 4-way eServer p630 with the POWER 4+ chip processed 33,593 operations per second (ops), nearly twice as many than a 4-way HP rp5470 with 17,979 ops, based on the same SPECsfs97_R1.v3 benchmark. [That's quite enough benchmarks: Ed] The p630 is designed to run IBM's AIX and Linux operating systems. IBM anticipates that one or more Linux distributors will support 64-bit Linux on the eServer p630 in the first half of this year. LPAR (partitioning) capabilities of the p630 enable customers to divide the machine into up to four "virtual" servers. These systems can be dynamically changed in size to accommodate shifting workloads. Prices for the p630 server, due to be available from next Friday (February 28), start at $19,913. ®
John Leyden, 21 Feb 2003

Oops – Internet credit card Marbles' web site goes MIA

In one of life's more astonishing pieces of bad luck, the web site of the Internet-oriented Marbles credit card vanished today, just as The Register's new Marbles card and Internet login details arrived. The Marbles card is pitched as being Internet-friendly, in that it allows you to look at your account online and it includes Internet delivery insurance, but in the absence of www.marbles.com these advantages tend to look rather more like disadvantages. The Register's DNS techies tell us that marbles.com's DNS servers are currently denying all knowledge of marbles.com, in which case the problem would seem to stem from a configuration error. The domain's whois lookup records a change yesterday, which might tally with a disappearance today. We at The Register know the sound of propagation creeping up on you only too well. Marbles has yet to get back to us with an explanation of what happened and an ETA for resumption of normal service, but if they're on it now, we'd guess they ought to be back by tomorrow afternoon at the latest. ®
John Lettice, 21 Feb 2003

Unisys boss predicts telco restructuring

The days of dialling-up to retrieve your voicemail are numbered, thanks to audio MMS, says Carlo d'Asaro Biondo, the general manager for communications and media at Unisys EMEA. Delivering voicemail as a free MMS message not only gives a better service, but will save millions of minutes a year on congested voice networks by moving the traffic onto under-utilised GPRS networks. Biondo was speaking as Unisys announced a number of system integration deals with networks, including a $9m integrated messaging project for Polish mobile carrier PTK Centertel and a £5.5m contract with BT Wholesale for a directory services system. "We are on the verge of big changes at the telcos," says Biondo, who joined Unisys from KPMG where he was the consultancy's French CEO. He predicts that network operators could have just two to three years left in their present form, instead being forced to split into separate groups or divest divisions which operate under very different pressures. "The mentality was 'I don't care if it makes money as long as it brings me more traffic.' That's changed and now the focus on cashflow means that every part of the operation has to be profitable in its own right," he says. "Companies are looking for extreme granularity in their profit and loss accounts, so they can allocate costs and measure return on investment." He is sceptical of attempts by telcos to add value to their networks through services and retail operations. He points out that these activities work in fundamentally different ways - the profitability of a network depends on volume, retail depends on efficiency, and the profitability of services is based on content and innovation. "We will see a splitting of those three layers, maybe into different companies," he says. He adds that the prime candidates here are those telcos which own multiple networks, for example wired telephony, mobile and IP. "The current split between fixed and mobile is not the issue," he says. "The services could be the same on both, and that's what counts, so those networks could be managed as one. "The retail part needs to merge with other retail operations, and the services layer is more and more dependent on partners, content providers and system integrators." Telcos need to look at things that belong in the network, such as information management and storage, he says, while building a platform that allows them to easily add third-party services on a revenue-sharing model similar to iMode. Amazingly enough, this is something which Unisys can help them do. ®
Bryan Betts, 21 Feb 2003

AOL probes hacker “breach”

AOL is investigating reports that crackers gained access to its customer database through a combination of cracking and social engineering exploits. The allegation of an extremely serious security breach is published today in Wired. The publication interviewed hackers who claim to have gained full access to Merlin, AOL's latest intranet-based customer database application. If true, the breach potentially exposes the private information of AOL's 35 million users. However we have serious doubts that the Merlin exploit as detailed would be effective: Wired explains the scenario thus: The hack involves tricking an AOL employee into accepting a file using Instant Messenger or uploading a Trojan horse to an AOL file library. When the file is executed, the Trojan horse connects the user who launched it to an Internet relay chat server, which the hacker can use to issue commands on the targeted machine. This allows the hacker to enter the internal AOL network and the Merlin application. Merlin requires a user ID, two passwords and a SecurID code, all of which hackers obtain by spamming the AOL employee database with phony security updates, through online password trades, or by "social engineering" attacks over IM or the telephone. Hmmm. SecurID codes change constantly, every 60 seconds, and are almost always contained in a device (for example keyfob) which is separate from a user's PC. For this reason we have out doubts that the exploit - as explained - would work. Hackers would need to steal a token (and hope it wasn't cancelled), or have someone on the inside feeding them information on request, it would seem. Mumbling's the word These doubts aside, the Wired article contains a fresh twist of the latest social-engineering exploits, which we'll call war-mumbling. Again AOL is the target of this alleged attack. A hacker, nicknamed hakrobatik, explained the trick to Wired. I kept calling and pretending I just had jaw surgery and mumbling gibberish. At first I had no info except the screen name, then I called and got the first name and last name by saying, 'Could you repeat what I just said?' Then each time that I got information I called back making the real information understandable, and everything else I just mumbled. Eventually service reps got so fed up, that they reset a user's password. In this way, hakrobatik plausibly claims, a cracker could gain access to any AOL member's account - using only a screen name - by phoning up overseas call centres. An AOL spokesman told us it was investigating the allegations of security breaches documented by Wired. He said: "We take any attempt to compromise a member's personal information extremely seriously. Such actions are illegal, and we will work with law enforcement to prosecute whenever possible." "We are currently investigating the specific allegations." ® External Link Wired: Hackers Run Wild and Free on AOL
John Leyden, 21 Feb 2003